Vulnerability Description

Brief Description: loadmodule(1) uses system(3) to execute ld.so(1). It doesn't properly restrict the IFS variable.

Detailed Description: loadmodule is a program that loads moldules dynamically into a running kernel. loadmodule uses system to execute ld.so to do the actual dynamic loading. loadmodule does not reset the environment variable IFS to a safe state before it calls system.

Component(s): loadmodule system sh

Version(s): those distributed with the named operating systems

Operating System(s): SunOS 4.1.1, SunOS 4.1.2, SunOS 4.1.3 (trusted source); SunOS 4.1.3, Openwindows 3.0 (verified);

Other Information: A user account is required.

Effects:Access to the account of the owner of loadmodule; this must be root, or else the modules could not be loaded into the kernel.

Detecting the Vulnerability:

* Compare versions with those listed in "Vulnerable Systems." If it matches any of those, you are vulnerable.

* Replace ld.so with a shell script or program that prints the current value of IFS. Add the character / to the value of IFS. Run loadmodule and see if the value of IFS in your current environment is printed. If so, you have the vulnerability.

Fixing the Vulnerability:

* Upgrade to a newer version.

* For SunOS 4.1.x systems, apply Sun patch 100448-02.

* For Solaris systems, apply Sun patch 101200-02.

* For Openwindows, turn off setuid permission on /usr/openwin/bin/loadmodule.

* If you have the source code, clean out the environment before calling system.

Cataloguing

Keywords:loadmodule, system, sh, IFS

Exploiting

Attack Methods or Tools: Not provided.

Related Information

Advisories and Other Alerts: CA-93:18; Sun 00124

Related Vulnerabilities: none.

History

First Report We Know Of: by Mark Kraitchman kraitch@eecs.berkeley.edu, Peter Shipley

Revisions of Database Record

1. Omar Vanegas(Jul 22, 1998): Entered into DOVES.

2. Mike Dilger(original): Entered into original database.